txn vs jti vs none

[dhs-aws]

In the definition for txn it is stated, "if not provided, the SET jti claim may be used." As I read this it does not appear that either are required, which could lead to a state where duplicate transactions are received and acted upon.

Should the definition require either txn, jti, or both?

[independentid]

I tend to agree that txn should be required. Also it is possible that multiple sets can have same txn if publisher chooses to issue separate sets for the same txn. Eg. Authentication factor change and prov change indicating attribute changes. Other case is async bulk response. PhilPhilOn Nov 27, 2023, at 10:16 AM, Dean H. Saxe - AWS Identity @.***> wrote: In the definition for txn it is stated, "if not provided, the SET jti claim may be used." As I read this it does not appear that either are required, which could lead to a state where duplicate transactions are received and acted upon. Should the definition require either txn, jti, or both?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: @.***>

[dhs-aws]

See PR #29 for suggested verbiage.